cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failover issues with WAN subnet

Highlighted
Getting noticed

Failover issues with WAN subnet

We are having a strange problem with our MX84 firewalls.   We currently have a subnet for our WAN 66.97.20.64/28.

We have a number of NATs setup.   When we are running on the one firewall everything works.  When we failover to the other firewall all the addresses from 66.97.20.72 and up stop working.  It acts like the subnet on the one firewall is set to 66.97.20.64/29.  I have verified on the local page that it is set to 255.255.255.240   I even tried saving the IP address to a different IP address and it still does not work.

I am just wondering if anyone else has run in to this issue.

 

My next step is do a full reset of that firewall and let it rebuild.

 

5 REPLIES 5
Highlighted
A model citizen

Re: Failover issues with WAN subnet

Have you verified the IP addressing from the ISP? That it is correct on their end?
Highlighted
Getting noticed

Re: Failover issues with WAN subnet

Yes.  And it works on one firewall but not the other.

Highlighted
Meraki Employee
Meraki Employee

Re: Failover issues with WAN subnet

My suspicion is that the upstream modem is still caching the ARP entry for the spare MX. A packet capture on the primary MX internet interface should show the destination mac address of the 66.97.20.72 traffic. If that's different from the primary MX mac address then you might try rebooting the modem. 

 

If you're not using a virtual IP then you might try that to see if it reduces the chances of this happening. But it really depends on where the failure is coming from. You might want to give Meraki Support a call for assistance in troubleshooting the specifics of your scenario. 

Highlighted
Kind of a big deal

Re: Failover issues with WAN subnet

I'm going to take a punt the ISP is routing 66.97.20.72/29 via the IP address of the primary MX.  They can fix this by routing it simply via the interface (as opposed to a specifying an IP address).

Or you could use virtual IP and have them route it via that.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#WAN_Vir... 

Highlighted
Getting noticed

Re: Failover issues with WAN subnet

I should have mentioned that this was working and then we swapped out the firewall via RMA.   We have been using a virtual IP from the start.

 

Thanks

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.